An edited version of this piece by Nehaa Chaudhari was first published by Inc42 and is available here.
About ten days ago, the Ministry of Electronics and Information Technology (MEITY) appointed Committee of Experts chaired by Justice Srikrishna (Srikrishna Committee) released its final recommendations on what India’s data protection framework should look like. It also released a draft Personal Data Protection Bill, 2018 (PDP Bill).
In this piece, I juxtapose the PDP Bill with the Telecom Regulatory Authority of India’s (TRAI) recommendations on privacy and data ownership (TRAI recommendations), and the Reserve Bank of India’s (RBI) diktat on localizing payment systems data (RBI circular). (See here and here for collated lists of articles on other aspects of the PDP Bill).
What might happen to the RBI circular and the TRAI recommendations when (any version of) the PDP Bill gets enacted? Let us begin with some recent history.
In July, 2017, the Indian government tasked the Srikrishna Committee with developing a comprehensive data protection law for India. The committee then released a white paper for public comments, and later, in January, 2018, conducted four public consultations – one each in Delhi, Bangalore, Hyderabad, and Mumbai. Half a year later, ending months of speculation around the timing of their release, the committee came out with its final recommendations and the PDP Bill. Meanwhile, in August, 2017, TRAI began its own consultation on privacy, data security and data ownership in the telecom sector. TRAI’s deliberations ran in parallel to the Srikrishna Committee’s own exercise, and culminated with the telecom regulator releasing its privacy recommendations on 16 July, 2018, less than two weeks before the Srikrishna Committee released its own.
TRAI was not the only regulator to have jumped on the data protection bandwagon, pending the release of the Srikrishna Committee’s final recommendations. In April, earlier this year, the country’s financial regulator mandated that payment systems data be localized – i.e., stored only (emphasis, mine) in India. While TRAI’s recommendations are just that – recommendations, the RBI’s mandate came into force immediately; payment systems providers have until 15 October, 2018, to comply and inform the RBI about their compliance.
TRAI’s and the RBI’s actions did not go down well with the Srikrishna Committee. Soon after TRAI released its recommendations, it was reported that the committee was upset with the timing of the telecom regulator’s move, as it would delay the release of its own final recommendations. As regards the RBI’s move, at the press conference to release the Srikrishna Committee’s final recommendations, Justice Srikrishna opined that the financial regulator had jumped the gun with its circular. The Srikrishna Committee’s displeasure with TRAI and the RBI aside, sectoral regulators will play a key role in taking forward India’s data protection framework. Justice Srikrishna has himself previously recognized this.
The PDP Bill is only the first step towards developing a comprehensive data protection framework for India. Sectoral regulators, TRAI and the RBI included, will no doubt play a key role in operationalizing the PDP Bill, and developing privacy principles and norms for their respective sectors. While the PDP Bill envisages the creation of a new authority – the Data Protection Authority – to oversee the implementation of the law, it also requires this authority to consult and work with other sectoral regulators.
Given as the PDP Bill will be the parent law, any action that TRAI, the RBI or any other regulator takes on data protection, will have to be in line with its provisions. Any action, by any regulator, inconsistent with the parent law when it comes into force, will have to be revisited. With this in mind, it is unlikely that TRAI’s sweeping privacy recommendations, which expand its jurisdiction to well beyond telecom, will translate into concrete regulation in their current form. The “digital ecosystem” that the telecom regulator talks about regulating will, in any case, be subject to the country’s data protection law.
TRAI’s attempt at expanding is jurisdiction is not new, and can be traced back at least to 2008, when it first attempted to regulate “value added services”. In the past decade, these efforts at regulating more than just telecom have continued, albeit the terminology has changed — “value added services” have become “application services”, “over-the-top services”, and now, the “digital ecosystem”.
TRAI’s privacy recommendations, its latest attempt at over-regulating, differ with the PDP Bill on certain key areas. In TRAI’s view, users own their personal information, and data controllers (called data fiduciaries under the PDP Bill) are “mere custodians” of this data. The PDP Bill grants users no ownership rights, but creates a fiduciary relationship between data fiduciaries and users, such that the former are required to act in the best interests of the latter. Further, while the PDP Bill only holds data fiduciaries liable under the law, and data processors only under certain conditions, TRAI is of the view that both controllers and processors should be liable. TRAI’s recommendations and the PDP Bill also differ on data localization. The telecom regulator has not made any concrete recommendations on this issue, and has deferred to the Srikrishna Committee. On the other hand, the PDP Bill specifies different degrees of data localization for different categories of data, and mandates that critical personal data will be stored and processed only in India. Interestingly, the draft law does not specify what critical personal data is, and leaves it to the central government to define. It is likely that the government will designate telecom data to be critical personal data.
Unlike the TRAI recommendations, RBI circular appears to be broadly in line with the PDP Bill. However, the lack of clarity on what constitutes critical personal data is an issue for financial information as well. Just like telecom data, it is entirely likely that the government will designate financial data to be critical personal data. Should that be the case, then all financial data, and not just payment systems data, will need to be locally stored and processed only in India.
The PDP Bill is likely to be modified before it is enacted into law. No matter the final shape of the law, however, the fact that sectoral regulators have a crucial role to play in shaping India’s data protection law remains unchanged.